MyToyota Hacked? Showing Wrong Cars and Details

Just got a new phone and logged into MyToyota app. And up popped Nicole's C-HR profile - umm thats not me.
Logged into chrome and up popped Amanda's Corolla Hatch Hybrid. Nice red colour BTW Amanda, you should be chuffed.

What the actual F?

Related Stores

Toyota Australia
Toyota Australia

Comments

  • +1
  • +12

    Seems so, or at least a glitch somewhere. Logging in shows me Paolo's Camry L4 and Paolo's e-mail address. Neither are known to me.

    Refreshing the page keeps bringing up other people's cars and details. That's quite a big privacy breach.

    • Looks like they've disabled the site now. Unable to login saying it's "under maintenance".

  • This is bad… I'm seeing Shelly's Prado with all her contact details…!!

  • +2

    Toyota ran out of hard drive space and had to buy more hard drives to get their servers back up and running. I wonder if it is related?

  • +2

    I managed to log in via the webportal (https://www.toyota.com.au/mytoyota) to clear out as much personal info as I could: use a false name, clear phone number and changed my addresses…

    Couldn't change my e-mail address, or remove my vehicle though

    • You were too late. I already scraped all your info, Mr Ghost Rider.

  • Brett's Landcruiser here…

  • -5

    new phone? the 15 comes out soon. rookie move

  • +11

    I've got spackbace's Prius, his Perth address and how he dreams to own a 300 series one day.

    • +4

      It attracts all the hairdressers šŸ˜

      • Ooo off topic and while youā€™re here, can you do an AMA as a Toyota employee? What kind of discounts do you get?

        • Nah, did one at another point in time but there's very little you can discuss openly, considering half the questions were about money…

  • Created an account, and It shows ā€œRussellā€™s Klugerā€
    Vic reg , vehicle is a 2013. LOL.

  • logged into MyToyota app
    up popped Nicole's C-HR profile
    up popped Amanda's Corolla Hatch

    What version of the app? Is it V5.0

  • +3

    MyToyota Hacked? Showing wrong cars and details

    Doesn't sound 'hacked' as such, more they screwed up the back end.

    I just logged in to mine and getting JIMMY'S C-HR.

    So wondering who is getting my car!?

    • Can't really see anything personal other than a rego number at this stage.

      Oh wait, can see someone elses email address. Yeah that isn't good.

  • +3

    Sounds like a caching issue (possibly). Similar thing happened to Steam in 2015; see https://www.youtube.com/watch?v=dkSslseq9Y8

  • +1

    Thanks for the heads up, I've changed my personal details since they aren't competent enough to securely store data.

  • whos reporting this to news?

    • +6

      Thank you for getting in touch with ABC News, Analysis and Investigations.

      We may not be able to get back to everyone individually; we will be in touch if we need more information from you.

      If you have any questions or concerns, you can reply to this email.

      Thank you,

      The ABC News, Analysis and Investigations team

      šŸ˜…

      • Legende

        • Will be on Q&A tomorrow.

      • -1

        I wonder if the ABC call out Toyota will the far right still call Aunty lefty liars?

  • Uh oh

  • Just logged into the app again and got a different profile..

  • Nobody is going to care about my bottom of the line Corolla sedan hybrid. Couldn't even out run an unfit 10 year old on a rusty bicycle.

  • +1

    Seems like a major screw up. Itā€™s only going to happen more and more.

    Not being a Toyota owner what benefits does the app have? Or is it just a pointless way for them to collect more data about you?

    • Not being a Toyota owner what benefits does the app have? Or is it just a pointless way for them to collect more data about you?

      Features Here.

      I have a Ford and it has an app (FordPass). Shows me vehicle stats, allows me to remote start, lock, unlock the car. Shows my fuel level and rough estimated kms left on that fuel, tyre pressures, any alerts (ECU errors etc), you can book a service and see where it's located. MyToyota app looks similar.

      • +1

        So just gimmicks to disguise your data collection.

        Aside from remote lock/unlock, stuff you could find out from the dashboard - or at least donā€™t really need to know unless you are at the car. Even remote start should probably be within range of the key so you can see the vehicle.

        • +2

          So just gimmicks to disguise your data collection.

          Kinda, but also lets you know of alerts easily and what they are without a dash light coming on. Plus, reports back to your Ford Profile for servicing etc. But what doesn't collect your data? It is an opt in, it isn't mandatory.

          Aside from remote lock/unlock, stuff you could find out from the dashboard

          Yes, that is somewhat true.

          Even remote start should probably be within range of the key so you can see the vehicle.

          Nope. It is done via a cell connection. I can remotely start the car, and lock or unlock it from anywhere with an internet connection on my phone and cell service in the car. It obviously isn't going to work in the middle of nowhere. But I use all the time, especially in summer, start the car with the aircon on so its cool when I get into it.

          • @geekcohen:

            It is done via a cell connection.

            My point being, how often do you actually need to start or unlock the car when you arenā€™t within key distance, within sight? Suspect you wouldnā€™t often need to unlock or start your car from the other side of the planet.

            • +3

              @Euphemistic: No, but always nice to go, "Oh, did I lock it?" and just confirm it via the app.

              • -1

                @geekcohen: And yet if humans relied on brains and memory a bit more maybe the pumpkin muscle would avoid or delay early onset dementia.
                I'd love to know what meaningful things ppl do with the millions of nano seconds they save via superfluous tech.

                • -1

                  @Protractor: A major contributor to dementia & Alzheimer's is insufficient REM sleep. That stage of sleep literally "washes" our brains, by clearing amyloids that contribute to neural degeneration.

                  Doing puzzles and everyday activities is mostly helpful as an early warning that something's amiss.

                • -1

                  @Protractor: As to manually unlocking and starting your vehicle: +1 here.

                  A quick search will show how transmitter relay hacking and Canbus splicing has made car theft easier than ever.

                  • @Speckled Jim: Crazy isn't it that us old school thinkers have to leave 0.3 seconds earlier so we have time to insert and twist a key, or press the fob button.
                    I feel robbed

            • +1

              @Euphemistic:

              My point being, how often do you actually need to start or unlock the car when you arenā€™t within key distance, within sight?

              Depending on your State it is also illegal to leave your car running when you are not in it.

              • @Grunntt: Please show your working

                • @spackbace: Pretty sure ARR Reg 213 covers it mostly - you can probably find the exceptions but basically if you are parked on a road and more than 3 meters away I believe this applies.

                  • +1

                    @Grunntt: Given remote start has been a common thing for a while (VF commodore from 2013, CJD likely from a similar time), I think you'll find there's caveats to that. Given that any remote start will not allow the car to be driven (Toyota's will turn the car off once the doors are unlocked, VF would kill the engine once you tried to take it out of Park), they'll be perfectly legal

                    Again, unless you can actually show the evidence to the opposite

                    • @spackbace:

                      I think you'll find there's caveats to that

                      Again, unless you can actually show the evidence to the opposite

                      Seeing as I pointed you to the legislation maybe you could actually show the evidence other than 'you think'.

                      • -2

                        @Grunntt:

                        213 Making a motor vehicle secure

                        (1) This rule applies to the driver of a motor vehicle who stops and leaves the vehicle on a road, except so far as the driver is exempt from this rule under another law of this jurisdiction.

                        And just carries through from there. That part of the law is about someone stopping and parking a car, and of course removing the key

                        Might want to find the right part of the law if you want to have a sensible argument

                        • @spackbace:

                          Might want to find the right part of the law if you want to have a sensible argument

                          Maybe take a moment to read what I posted - it pretty clearly stated "if you are parked on a road and more than 3 meters away I believe this applies."

                          I'm not arguing about anything - just pointing out what may apply.

                          Now are you going to show clear examples of the caveats that apply to remote start?

                          Even BMW can't give a clear answer when asked.

                          "BMW terms and conditions document includes the admission ā€œthe use of Remote Engine Start is governed by various laws. The use of this function might be unlawful. BMW recommends that drivers "check the legal situation before useā€.

                          Seeing as you appear to be employed at Toyota maybe you could find someone there to give a definitive answer backed by some documented fact?

                          • -2

                            @Grunntt: Why do I need to find legal terms to disprove what you said, when you can't even find legal terms to back up what you said?

                            Walking away from a parked car and making sure to remove the key is a far cry from a locked, parked car being remotely started

                            Find me that legal info

                            • @spackbace:

                              Walking away from a parked car and making sure to remove the key is a far cry from a locked, parked car being remotely started
                              Find me that legal info

                              This is just another case of the law not keeping up with technology so unfortunately, it will be at the discretion of the police/ranger/court until the ARR are updated.

                              Reading through a few of your previous comments to others here you appear to be more concerned with 'I'm right, you're wrong'.
                              Rather than supporting your opinions with actual fact you tend to expect others to answer your demands with facts but conveniently ignore requests from others.
                              I assume this part of the thread is going to go the same way as many of your others so at this point I will leave it to others to make up their own mind after making their own enquiries.

                              • -1

                                @Grunntt: Generally speaking, if you make a statement about the law, it shouldn't be difficult to find said law and quote it.

                                Yet when I picked apart your argument to show that the section of the law you quoted is about parking a car, and making sure you remove the key, you had no defence and instead want me to prove something I don't need to.

                                Maybe don't try to quote things if you can't actually prove what you're trying to say?

                              • -1

                                @Grunntt: Turbo timers have been around way longer than remote start……..

    • Not being a Toyota owner what benefits does the app have?

      The main benefit anyone uses it for is a daily fuel offer for discounted fuel.

      Other than that, it doesn't tell you much for the general user, but does show things like when your services have been done, when the warrantry expires etc.

      So while the pretty app page shows you all these remote data things that can be done, the fact is most cars sold in Australia don't have that feature installed.

  • +1

    I just attempted to open the app from my end (as someone who owns a Toyota; have you found my car yet? It's a silver Corolla hybrid sedan) and it's down for maintenance

  • -4

    hahahahahahahahah imagine using an app for your car

    • Clearly haven't looked much into a Tesla Dash. Its pretty much an app running the car.

      • +1

        Clearly I have a car without any of this bs.

        • +2

          So a 2007 Toyota Camry? Like most of the OzBargain community?

          An whilst people think some cars have "bs features", they are very handy. Takes some getting used to, but makes driving safer.

    • +1

      My car has a app inc user profile and NFC/ fingerprint reader :)

  • The Corolla shown on landing page is a White Corolla, but NSW rego shows it as a 2013 Silver RAV (BTW, YBM47Y you have a month left on your rego)

  • This was happening last year, I shared all the data with the Toyota Australia emails and Toyota Australia FB page and it took them weeks to ask me to delete it - lol.

  • Looks like someone at Toyota has woken up. Logins disabled

    System message
    We apologise for the inconvenience. We are undertaking maintenance and myToyota is currently unavailable.

  • +1

    Waiting for the admission in a month that Russian hackers have Toyota customer base data and are undergoing ransom attack.

    • +1

      They're trying to find Hiluxes to use as war machines

      • +1

        They'll need to come with outriggers and 7 extra fuel filters

  • +1

    Unfortunately Toyota has a long history of being breached or itself exposing customer information. Google search and you will see for yourself. The new "penalties" introduced by the Government are a joke and would for most businesses be seen as "a cost of doing business".

    • -1

      It's so frustrating that the fines for these breaches are so small. I think 1B dolla fines will cause companies to take notice.

  • +1

    Not sure why anyone would share PII with a company like this that operates from another legal jurisdiction.

    If Tesla, the most advanced consumer automotive company, can't be trusted around collecting and storing private info, why give any mainstream automtive manufacturer any private info?

    If the car requires:
    - an App
    - a network connection
    - any form of 'Sign-up'

    Automotive companies have failed time and time again to implement consumer facing technologies (let alone embedded computer technologies) in their products and online. Why would they be trusted with anything that isn't firmly within their wheelhouse?

    I'd suggest looking at the competition, or better still, maintain a used car well, ideally the one you have/devil you know, at least until you can find a trustworthy supplier!

    • +2

      I'd suggest looking at the competition

      Why? You can opt out…

      • +1

        Because of the truth. Perhaps facts will help out

        https://foundation.mozilla.org/en/blog/privacy-nightmare-on-ā€¦

        • American data… got anything better?

          Different cars, different apps

          That being said, we do give Toyota a thumbs up for granting all people in the US, not just those covered by California's strong CCPA privacy law, the same rights to do things like have their data deleted or opt out of having some of their data sold.

          • @spackbace: I note u are not saying, maybe suggesting(?) Toyota Oz is different. When it is not. If it is, pls do let us know!

            Understand that (only) in California, one of Toyota's largest markets, there is now law that forces Toyota to (at least) do the 'deletion thing'. This is why they made this single, reactive change.

            Toyota had no choice.

            And there is no evidence to say it does delete customer data when asked (rather than just de-index/surface it). There are no checks- no auditing, transparency, or third party verification. They just make claims.

            There is not even anything to stop them doing a Medibank/Optus/Latitude and keep it all, forever, even where asked to delete it. If so, it will simply be collected by the first attacker on the Internet to find the gold. Had they applied better ethics, they would have understood the lawmaker's motivations, and begin an overhaul of all their data collection and use activities, a re-write of all their software and systems, (not to mention fix all the holes in their threat model), so that the customers' right to privacy is appropriately respected by design in all their products. Like Apple (claims) they could then lead their entire industry.

            Especially given that the logic, services, and apps are designed and managed in Japan, the US, probably India (probably) and probably a lot of other low cost asian jurisdictions.

            Given that we have no privacy rights, no effective privacy law, there is no reason for us to hope we might be any better off- or that someone, somewhere in Toyota will delete our data, even if an app or a service offers us such an option.

  • Obviously some North Korea hackers are behind …

  • I needed to log my car again as all details were wiped. Is this related?

    • Into MyToyota? It's been decommissioned. You now use the Toyota Connect app

      • I had the same app as I had before (called MyToyota on my phone). Added my details again and it's working but it removed my vehicle.

        • Because it's decommissioned … use the Toyota Connect app instead.

    • -1

      More importantly does the car still start when you crank it? ;)

  • -1

    Should we not share all those email addys and names etc on here; for reserach purposes?

  • -1

    I agree that Toyota are nincompoops when it comes to privacy. I once went for a service and had to try at least 10 times to get them to stop sending me random text messages saying that I am due for another service.

    They are also nincompoops when it comes to EV. They believe in hydrogen; apparently.

    • +1

      Hydrogen? Sounds like lizard people stuff

      • Yeah Look at Toyota Mira.

Login or Join to leave a comment